MTX-3787 Update openssh to ver 8.4p1

author: Vyacheslav Pedash <vyacheslav.pedash@globallogic.com> 2021-02-08 18:41:15 +0200
committer: John Klug <john.klug@multitech.com> 2021-02-09 13:53:42 -0600
commit: b22c4ce0fcea2099fe598f5537d7cced50613c07 (patch)
tree: aaaed811e4db4086559fc4002b6aa255d16cbe41 /recipes-connectivity/openssh
parent: 58995ef9573038e7da17d4592ca14b90d62b3d10 (diff)
download: meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.gz
meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.bz2
meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.zip
21 files changed, 467 insertions, 266 deletions
diff --git a/recipes-connectivity/openssh/openssh/ssh.default b/recipes-connectivity/openssh/openssh-mlinux/ssh.default
index d5c0507..d5c0507 100644
--- a/recipes-connectivity/openssh/openssh/ssh.default
+++ b/recipes-connectivity/openssh/openssh-mlinux/ssh.default
diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd b/recipes-connectivity/openssh/openssh-mlinux/sshd
new file mode 100644
index 0000000..182650b
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh-mlinux/sshd
@@ -0,0 +1,11 @@
+#%PAM-1.0
+
+auth       include      common-auth
+account    required     pam_nologin.so
+account    include      common-account
+password   include      common-password
+session    optional     pam_keyinit.so force revoke
+session    optional     pam_radauth.so
+session    include      common-session
+session    required     pam_loginuid.so
+
diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys
new file mode 100644
index 0000000..4af8d5c
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+generate_key() {
+    local FILE=$1
+    local TYPE=$2
+    local DIR="$(dirname "$FILE")"
+
+    mkdir -p "$DIR"
+    ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+    # Atomically rename file public key
+    mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+    # This sync does double duty: Ensuring that the data in the temporary
+    # private key file is on disk before the rename, and ensuring that the
+    # public key rename is completed before the private key rename, since we
+    # switch on the existence of the private key to trigger key generation.
+    # This does mean it is possible for the public key to exist, but be garbage
+    # but this is OK because in that case the private key won't exist and the
+    # keys will be regenerated.
+    #
+    # In the event that sync understands arguments that limit what it tries to
+    # fsync(), we provided them. If it does not, it will simply call sync()
+    # which is just as well
+    sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+    mv "${FILE}.tmp" "$FILE"
+
+    # sync to ensure the atomic rename is committed
+    sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+    . /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+    case "$1" in
+    -f*) if [ "$1" = "-f" ] ; then
+            sshd_config="$2"
+            shift
+        else
+            sshd_config="${1#-f}"
+        fi
+        shift
+        ;;
+    --) shift; break;;
+    *) shift;;
+    esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_dsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+    [ -f $key ] && continue
+    case $key in
+    *_rsa_key)
+        echo "  generating ssh RSA host key..."
+        generate_key $key rsa
+        ;;
+    *_dsa_key)
+        echo "  generating ssh DSA host key..."
+        generate_key $key dsa
+        ;;
+    *_ecdsa_key)
+        echo "  generating ssh ECDSA host key..."
+        generate_key $key ecdsa
+        ;;
+    *_ed25519_key)
+        echo "  generating ssh ED25519 host key..."
+        generate_key $key ed25519
+        ;;
+    esac
+done
diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_config b/recipes-connectivity/openssh/openssh-mlinux/sshd_config
new file mode 100644
index 0000000..7e9da84
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_config
@@ -0,0 +1,122 @@
+#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+
+# The default requires explicit activation of protocol 1
+Protocol 2
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
diff --git a/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
new file mode 100644
index 0000000..b88bc18
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
@@ -0,0 +1,28 @@
+From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: [PATCH] Add new pselect6_time64 syscall on ARM.
+
+This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
+jjelen at redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Upstream-Status: Backport
+[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33]
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif
diff --git a/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
new file mode 100644
index 0000000..b8402a4
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
@@ -0,0 +1,47 @@
+Adjust test cases to work with busybox.
+
+- Replace dd parameter "obs" with "bs".
+- Replace "head -<num>" with "head -n <num>".
+
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+Upstream-Status: Pending
+
+Index: openssh-7.6p1/regress/cipher-speed.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/cipher-speed.sh
++++ openssh-7.6p1/regress/cipher-speed.sh
+@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
+ 		printf "%-60s" "$c/$m:"
+ 		( ${SSH} -o 'compression no' \
+ 			-F $OBJ/ssh_proxy -m $m -c $c somehost \
+-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
++			exec sh -c \'"dd of=/dev/null bs=32k"\' \
+ 		< ${DATA} ) 2>&1 | getbytes
+ 
+ 		if [ $? -ne 0 ]; then
+Index: openssh-7.6p1/regress/transfer.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/transfer.sh
++++ openssh-7.6p1/regress/transfer.sh
+@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}		|| fail "corrupted
+ for s in 10 100 1k 32k 64k 128k 256k; do
+ 	trace "dd-size ${s}"
+ 	rm -f ${COPY}
+-	dd if=$DATA obs=${s} 2> /dev/null | \
++	dd if=$DATA bs=${s} 2> /dev/null | \
+ 		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+ 	if [ $? -ne 0 ]; then
+ 		fail "ssh cat $DATA failed"
+Index: openssh-7.6p1/regress/key-options.sh
+===================================================================
+--- openssh-7.6p1.orig/regress/key-options.sh
++++ openssh-7.6p1/regress/key-options.sh
+@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
+ 	fi
+ 
+ 	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
+-	from=`head -1 $authkeys | cut -f1 -d ' '`
++	from=`head -n 1 $authkeys | cut -f1 -d ' '`
+ 	verbose "key option $from"
+ 	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
+ 	if [ "$r" = "true" ]; then
diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
index 7e043a2..20036da 100644
--- a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -11,14 +11,17 @@ would lead to program abort.
 Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
 
 Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+
+Complete the fix
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 ---
- openbsd-compat/strlcat.c | 8 ++++++--
- openbsd-compat/strlcpy.c | 8 ++++++--
- openbsd-compat/strnlen.c | 8 ++++++--
- 3 files changed, 18 insertions(+), 6 deletions(-)
+ openbsd-compat/strlcat.c | 10 +++++++---
+ openbsd-compat/strlcpy.c |  8 ++++++--
+ openbsd-compat/strnlen.c |  8 ++++++--
+ 3 files changed, 19 insertions(+), 7 deletions(-)
 
 diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
-index bcc1b61..e758ebf 100644
+index bcc1b61..124e1e3 100644
 --- a/openbsd-compat/strlcat.c
 +++ b/openbsd-compat/strlcat.c
 @@ -23,6 +23,7 @@
@@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644
  
  /*
   * Appends src to string dst of size siz (unlike strncat, siz is the
+@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
+ 	/* Find the end of dst and adjust bytes left but don't go past end */
+ 	while (n-- != 0 && *d != '\0')
+ 		d++;
+-	dlen = d - dst;
++	dlen = (uintptr_t)d - (uintptr_t)dst;
+ 	n = siz - dlen;
+ 
+ 	if (n == 0)
 @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
  		s++;
  	}
@@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644
  
  #endif /* !HAVE_STRLCPY */
 diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 93d5155..9b8de5d 100644
+index 7ad3573..7040f1f 100644
 --- a/openbsd-compat/strnlen.c
 +++ b/openbsd-compat/strnlen.c
 @@ -23,6 +23,7 @@
@@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644
  }
  #endif
 -- 
-1.9.1
+2.17.1
 
diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init
index 386628a..8887e3a 100644
--- a/recipes-connectivity/openssh/openssh/init
+++ b/recipes-connectivity/openssh/openssh/init
@@ -19,25 +19,6 @@ fi
 [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
 mkdir -p $SYSCONFDIR
 
-parse_sshd_opts() {
-    set -- ${SSHD_OPTS} --
-    sshd_config=/etc/ssh/sshd_config
-    while true ; do
-        case "$1" in
-        -f*) if [ "$1" = "-f" ] ; then
-                 sshd_config="$2"
-                 shift
-             else
-                 sshd_config="${1#-f}"
-             fi
-             shift
-             ;;
-        --) shift; break;;
-        *) shift;;
-        esac
-    done
-}
-
 check_for_no_start() {
     # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
     if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
@@ -55,51 +36,7 @@ check_privsep_dir() {
 }
 
 check_config() {
-	/usr/sbin/sshd -t $SSHD_OPTS || exit 1
-}
-
-check_keys() {
-	# parse location of keys
-	local HOST_KEY_RSA
-	local HOST_KEY_DSA
-	local HOST_KEY_ECDSA
-	local HOST_KEY_ED25519
-
-	parse_sshd_opts
-	HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-	HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
-	HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
-	HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-	[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
-
-	# create keys if necessary
-	if [ ! -f $HOST_KEY_RSA ]; then
-		echo "  generating ssh RSA key..."
-		mkdir -p $(dirname $HOST_KEY_RSA)
-		ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
-	fi
-	if [ ! -f $HOST_KEY_ECDSA ]; then
-		echo "  generating ssh ECDSA key..."
-		mkdir -p $(dirname $HOST_KEY_ECDSA)
-		ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
-	fi
-	if [ ! -f $HOST_KEY_DSA ]; then
-		echo "  generating ssh DSA key..."
-		mkdir -p $(dirname $HOST_KEY_DSA)
-		ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
-	fi
-	if [ ! -f $HOST_KEY_ED25519 ]; then
-		echo "  generating ssh ED25519 key..."
-		mkdir -p $(dirname $HOST_KEY_ED25519)
-		ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
-	fi
+    /usr/sbin/sshd $SSHD_OPTS -t || exit 1
 }
 
 export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
@@ -108,30 +45,30 @@ case "$1" in
   start)
 	check_for_no_start
 	echo "Starting OpenBSD Secure Shell server: sshd"
-	check_keys
+	@LIBEXECDIR@/sshd_check_keys
 	check_privsep_dir
 	start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
-        echo "done."
+	echo "done."
 	;;
   stop)
-        echo -n "Stopping OpenBSD Secure Shell server: sshd"
+	echo -n "Stopping OpenBSD Secure Shell server: sshd"
 	start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
-        echo "."
+	echo "."
 	;;
 
   reload|force-reload)
 	check_for_no_start
-	check_keys
+	@LIBEXECDIR@/sshd_check_keys
 	check_config
-        echo -n "Reloading OpenBSD Secure Shell server's configuration"
+	echo -n "Reloading OpenBSD Secure Shell server's configuration"
 	start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
 	echo "."
 	;;
 
   restart)
-  	check_keys
+	@LIBEXECDIR@/sshd_check_keys
 	check_config
-        echo -n "Restarting OpenBSD Secure Shell server: sshd"
+	echo -n "Restarting OpenBSD Secure Shell server: sshd"
 	start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
 	check_for_no_start
 	check_privsep_dir
diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch
deleted file mode 100644
index d6fbd3b..0000000
--- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -ruN a/regress/cipher-speed.sh b/regress/cipher-speed.sh
---- a/regress/cipher-speed.sh	2019-12-03 13:16:36.091896387 -0600
-+++ b/regress/cipher-speed.sh	2019-12-03 13:28:29.726275955 -0600
-@@ -17,7 +17,7 @@
- 		printf "%-60s" "$c/$m:"
- 		( ${SSH} -o 'compression no' \
- 			-F $OBJ/ssh_proxy -m $m -c $c somehost \
--			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-+			exec sh -c \'"dd of=/dev/null bs=32k"\' \
- 		< ${DATA} ) 2>&1 | getbytes
- 
- 		if [ $? -ne 0 ]; then
-diff -ruN a/regress/key-options.sh b/regress/key-options.sh
---- a/regress/key-options.sh	2019-12-03 13:24:44.164243780 -0600
-+++ b/regress/key-options.sh	2019-12-03 13:33:14.447235791 -0600
-@@ -84,7 +84,7 @@
- 	fi
- 
- 	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
--	from=`head -1 $authkeys | cut -f1 -d ' '`
-+	from=`head -n 1 $authkeys | cut -f1 -d ' '`
- 	verbose "key option $from"
- 	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
- 	if [ "$r" = "true" ]; then
-diff -ruN a/regress/transfer.sh b/regress/transfer.sh
---- a/regress/transfer.sh	2019-12-03 13:16:58.342857354 -0600
-+++ b/regress/transfer.sh	2019-12-03 13:29:08.733267753 -0600
-@@ -13,7 +13,7 @@
- for s in 10 100 1k 32k 64k 128k 256k; do
- 	trace "dd-size ${s}"
- 	rm -f ${COPY}
--	dd if=$DATA obs=${s} 2> /dev/null | \
-+	dd if=$DATA bs=${s} 2> /dev/null | \
- 		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
- 	if [ $? -ne 0 ]; then
- 		fail "ssh cat $DATA failed"
-diff -ruN a/regress/yes-head.sh b/regress/yes-head.sh
---- a/regress/yes-head.sh	2019-12-03 13:17:11.682259074 -0600
-+++ b/regress/yes-head.sh	2019-12-03 13:32:47.699869866 -0600
-@@ -3,7 +3,7 @@
- 
- tid="yes pipe head"
- 
--lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
-+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)`
- if [ $? -ne 0 ]; then
- 	fail "yes|head test failed"
- 	lines = 0;
diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch
deleted file mode 100644
index 507026c..0000000
--- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/cipher.c	2019-12-03 12:46:22.282290586 -0600
-+++ b/cipher.c	2019-12-03 12:45:19.273805437 -0600
-@@ -158,8 +158,10 @@
- u_int
- cipher_seclen(const struct sshcipher *c)
- {
-+#ifndef OPENSSL_NO_DES
- 	if (strcmp("3des-cbc", c->name) == 0)
- 		return 14;
-+#endif
- 	return cipher_keylen(c);
- }
- 
diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch
deleted file mode 100644
index 46b60b5..0000000
--- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch
+++ /dev/null
@@ -1,52 +0,0 @@
---- a/pkcs11.h	2019-12-03 12:52:10.920974412 -0600
-+++ b/pkcs11.h	2019-12-03 12:56:56.383171416 -0600
-@@ -342,9 +342,11 @@
- #define CKK_GENERIC_SECRET	(0x10)
- #define CKK_RC2			(0x11)
- #define CKK_RC4			(0x12)
-+#ifndef OPENSSL_NO_DES
- #define CKK_DES			(0x13)
- #define CKK_DES2		(0x14)
- #define CKK_DES3		(0x15)
-+#endif /* OPENSSL_NO_DES */
- #define CKK_CAST		(0x16)
- #define CKK_CAST3		(0x17)
- #define CKK_CAST128		(0x18)
-@@ -512,6 +514,7 @@
- #define CKM_RC2_CBC_PAD			(0x105)
- #define CKM_RC4_KEY_GEN			(0x110)
- #define CKM_RC4				(0x111)
-+#ifndef OPENSSL_NO_DES
- #define CKM_DES_KEY_GEN			(0x120)
- #define CKM_DES_ECB			(0x121)
- #define CKM_DES_CBC			(0x122)
-@@ -525,6 +528,7 @@
- #define CKM_DES3_MAC			(0x134)
- #define CKM_DES3_MAC_GENERAL		(0x135)
- #define CKM_DES3_CBC_PAD		(0x136)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_CDMF_KEY_GEN		(0x140)
- #define CKM_CDMF_ECB			(0x141)
- #define CKM_CDMF_CBC			(0x142)
-@@ -610,8 +614,10 @@
- #define CKM_MD5_KEY_DERIVATION		(0x390)
- #define CKM_MD2_KEY_DERIVATION		(0x391)
- #define CKM_SHA1_KEY_DERIVATION		(0x392)
-+#ifndef OPENSSL_NO_DES
- #define CKM_PBE_MD2_DES_CBC		(0x3a0)
- #define CKM_PBE_MD5_DES_CBC		(0x3a1)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_PBE_MD5_CAST_CBC		(0x3a2)
- #define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
- #define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
-@@ -620,8 +626,10 @@
- #define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
- #define CKM_PBE_SHA1_RC4_128		(0x3a6)
- #define CKM_PBE_SHA1_RC4_40		(0x3a7)
-+#ifndef OPENSSL_NO_DES
- #define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
- #define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
-+#endif /* OPENSSL_NO_DES */
- #define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
- #define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
- #define CKM_PKCS5_PBKD2			(0x3b0)
diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest
index 36a3d2a..ae03e92 100755
--- a/recipes-connectivity/openssh/openssh/run-ptest
+++ b/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,11 +1,12 @@
 #!/bin/sh
 
 export TEST_SHELL=sh
+export SKIP_UNIT=1
 
 cd regress
 sed -i "/\t\tagent-ptrace /d" Makefile
 make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \
-        | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
+        | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
 
 SSHAGENT=`which ssh-agent`
 GDB=`which gdb`
diff --git a/recipes-connectivity/openssh/openssh/ssh_config b/recipes-connectivity/openssh/openssh/ssh_config
index 9e91915..e0d0238 100644
--- a/recipes-connectivity/openssh/openssh/ssh_config
+++ b/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
+#	$OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -31,14 +31,14 @@ Host *
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   Protocol 2
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
 #   Tunnel no
 #   TunnelDevice any:any
diff --git a/recipes-connectivity/openssh/openssh/sshd b/recipes-connectivity/openssh/openssh/sshd
index 182650b..4882e58 100644
--- a/recipes-connectivity/openssh/openssh/sshd
+++ b/recipes-connectivity/openssh/openssh/sshd
@@ -5,7 +5,6 @@ account    required     pam_nologin.so
 account    include      common-account
 password   include      common-password
 session    optional     pam_keyinit.so force revoke
-session    optional     pam_radauth.so
 session    include      common-session
 session    required     pam_loginuid.so
 
diff --git a/recipes-connectivity/openssh/openssh/sshd.socket b/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b2..8d76d62 100644
--- a/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Conflicts=sshd.service
+Wants=sshdgenkeys.service
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb..9d9965e 100644
--- a/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,10 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 
 [Service]
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
-StandardError=syslog
 KillMode=process
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 0000000..1931dc7
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+    local FILE=$1
+    local TYPE=$2
+    local DIR="$(dirname "$FILE")"
+
+    mkdir -p "$DIR"
+    ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+    # Atomically rename file public key
+    mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+    # This sync does double duty: Ensuring that the data in the temporary
+    # private key file is on disk before the rename, and ensuring that the
+    # public key rename is completed before the private key rename, since we
+    # switch on the existence of the private key to trigger key generation.
+    # This does mean it is possible for the public key to exist, but be garbage
+    # but this is OK because in that case the private key won't exist and the
+    # keys will be regenerated.
+    #
+    # In the event that sync understands arguments that limit what it tries to
+    # fsync(), we provided them. If it does not, it will simply call sync()
+    # which is just as well
+    sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+    mv "${FILE}.tmp" "$FILE"
+
+    # sync to ensure the atomic rename is committed
+    sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+    . /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+    case "$1" in
+    -f*) if [ "$1" = "-f" ] ; then
+            sshd_config="$2"
+            shift
+        else
+            sshd_config="${1#-f}"
+        fi
+        shift
+        ;;
+    --) shift; break;;
+    *) shift;;
+    esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+    [ -f $key ] && continue
+    case $key in
+    *_rsa_key)
+        echo "  generating ssh RSA host key..."
+        generate_key $key rsa
+        ;;
+    *_ecdsa_key)
+        echo "  generating ssh ECDSA host key..."
+        generate_key $key ecdsa
+        ;;
+    *_ed25519_key)
+        echo "  generating ssh ED25519 host key..."
+        generate_key $key ed25519
+        ;;
+    esac
+done
diff --git a/recipes-connectivity/openssh/openssh/sshd_config b/recipes-connectivity/openssh/openssh/sshd_config
index 31fe5d9..15f061b 100644
--- a/recipes-connectivity/openssh/openssh/sshd_config
+++ b/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -7,7 +7,7 @@
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
+# possible, but leave them commented.  Uncommented options override the
 # default value.
 
 #Port 22
@@ -15,43 +15,30 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin yes
+#PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
 
 #AuthorizedPrincipalsFile none
 
@@ -59,11 +46,9 @@ AuthorizedKeysFile .ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -72,7 +57,8 @@ AuthorizedKeysFile .ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
-# Change to no to disable s/key passwords
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
 ChallengeResponseAuthentication no
 
 # Kerberos options
@@ -111,7 +97,7 @@ ChallengeResponseAuthentication no
 Compression no
 ClientAliveInterval 15
 ClientAliveCountMax 4
-#UseDNS yes
+#UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index 148e6ad..fd81793 100644
--- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -1,22 +1,9 @@
 [Unit]
 Description=OpenSSH Key Generation
 RequiresMountsFor=/var /run
-ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
-ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
 
 [Service]
-Environment="SYSCONFDIR=/etc/ssh"
-EnvironmentFile=-/etc/default/ssh
-ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
+ExecStart=@LIBEXECDIR@/sshd_check_keys
 Type=oneshot
 RemainAfterExit=yes
+Nice=10
diff --git a/recipes-connectivity/openssh/openssh_8.1p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb
index 5bfd8e3..128e2e3 100644
--- a/recipes-connectivity/openssh/openssh_8.1p1.bb
+++ b/recipes-connectivity/openssh/openssh_8.4p1.bb
@@ -5,10 +5,10 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
 and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
-LICENSE = "BSD"
+LICENSE = "BSD & ISC & MIT"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
 
-DEPENDS = "zlib openssl"
+DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
@@ -20,19 +20,21 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd@.service \
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
-           file://openssh-8.1p1-add-test-support-for-busybox.patch \
            file://run-ptest \
-           file://openssh-8.1p1-conditional-compile-des-in-cipher.patch \
-           file://openssh-8.1p1-conditional-compile-des-in-pkcs11.patch \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+           file://sshd_check_keys \
+           file://add-test-support-for-busybox.patch \
+           file://0f90440ca70abab947acbd77795e9f130967956c.patch \
            "
+SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
 
-PAM_SRC_URI = "file://sshd"
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_CHECK_WHITELIST += "CVE-2014-9278"
 
-SRC_URI[md5sum] = "513694343631a99841e815306806edf0"
-SRC_URI[sha256sum] = "02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff"
+PAM_SRC_URI = "file://sshd"
 
-inherit useradd update-rc.d update-alternatives systemd
+inherit manpages useradd update-rc.d update-alternatives systemd
 
 USERADD_PACKAGES = "${PN}-sshd"
 USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
@@ -45,19 +47,30 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
 
 inherit autotools-brokensep ptest
 
-# LFS support:
-CFLAGS += "-D__FILE_OFFSET_BITS=64"
+PACKAGECONFIG ??= "rng-tools"
+PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
+PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
+PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
+PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
+
+# Add RRECOMMENDS to rng-tools for sshd package
+PACKAGECONFIG[rng-tools] = ""
+
+EXTRA_AUTORECONF += "--exclude=aclocal"
 
 # login path is hardcoded in sshd
 EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
                 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
                 --without-zlib-version-check \
-                --with-privsep-path=/var/run/sshd \
+                --with-privsep-path=${localstatedir}/run/sshd \
                 --sysconfdir=${sysconfdir}/ssh \
-                --with-xauth=/usr/bin/xauth \
+                --with-xauth=${bindir}/xauth \
                 --disable-strip \
                 "
 
+# musl doesn't implement wtmp/utmp and logwtmp
+EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog"
+
 # Since we do not depend on libbsd, we do not want configure to use it
 # just because it finds libutil.h.  But, specifying --disable-libutil
 # causes compile errors, so...
@@ -73,24 +86,22 @@ do_configure_prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
 	install -m 0644 ${WORKDIR}/ssh_config ${B}/
-	if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
-		cp aclocal.m4 acinclude.m4
-	fi
 }
 
 do_compile_ptest() {
         # skip regress/unittests/ binaries: this will silently skip
         # unittests in run-ptests which is good because they are so slow.
-        oe_runmake regress/modpipe regress/setuid-allowed regress/netcat
+        oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
+                   regress/check-perm regress/mkdtemp
 }
 
 do_install_append () {
-	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
+	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
 		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
 		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
 	fi
 
-	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then
+	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
 		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
 	fi
 
@@ -107,7 +118,6 @@ do_install_append () {
 	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-	echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 
@@ -118,7 +128,13 @@ do_install_append () {
 	sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
 		-e 's,@SBINDIR@,${sbindir},g' \
 		-e 's,@BINDIR@,${bindir},g' \
+		-e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
 		${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
+
+	sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+		${D}${sysconfdir}/init.d/sshd
+
+	install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
 }
 
 do_install_ptest () {
@@ -133,6 +149,7 @@ FILES_${PN}-scp = "${bindir}/scp.${BPN}"
 FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
 FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
 FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
 FILES_${PN}-sftp = "${bindir}/sftp"
 FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
@@ -140,14 +157,18 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
 RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
 RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make"
+RRECOMMENDS_${PN}-sshd_append_class-target = "\
+    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
+"
+
+# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
+RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
 
 RPROVIDES_${PN}-ssh = "ssh"
 RPROVIDES_${PN}-sshd = "sshd"
 
 RCONFLICTS_${PN} = "dropbear"
 RCONFLICTS_${PN}-sshd = "dropbear"
-RCONFLICTS_${PN}-keygen = "ssh-keygen"
 
 CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
 CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
@@ -156,5 +177,4 @@ ALTERNATIVE_PRIORITY = "90"
 ALTERNATIVE_${PN}-scp = "scp"
 ALTERNATIVE_${PN}-ssh = "ssh"
 
-do_rm_work () {
-}
+BBCLASSEXTEND += "nativesdk"
diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_8.4p1.bbappend
index 53d3da1..9509e8f 100644
--- a/recipes-connectivity/openssh/openssh_%.bbappend
+++ b/recipes-connectivity/openssh/openssh_8.4p1.bbappend
@@ -1,6 +1,9 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-mlinux:"
 
-SRC_URI += "file://ssh.default"
+SRC_URI += "file://ssh.default \
+            file://sshd \
+            file://sshd_config \
+            file://sshd_check_keys"
 
 KEYFILES = "ssh_host_dsa_key \
 ssh_host_dsa_key.pub \
@@ -13,6 +16,9 @@ ssh_host_ed25519_key.pub \
 "
 
 do_install_append() {
+  
+  echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+
   install -d ${D}${sysconfdir}/default
   install -m 644 ${WORKDIR}/ssh.default ${D}${sysconfdir}/default/ssh
   for f in ${KEYFILES}; do
author	Vyacheslav Pedash <vyacheslav.pedash@globallogic.com>	2021-02-08 18:41:15 +0200
committer	John Klug <john.klug@multitech.com>	2021-02-09 13:53:42 -0600
commit	b22c4ce0fcea2099fe598f5537d7cced50613c07 (patch)
tree	aaaed811e4db4086559fc4002b6aa255d16cbe41 /recipes-connectivity/openssh
parent	58995ef9573038e7da17d4592ca14b90d62b3d10 (diff)
download	meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.gz meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.tar.bz2 meta-mlinux-b22c4ce0fcea2099fe598f5537d7cced50613c07.zip